Closed pierre-elie closed 9 years ago
Great, I'll fix this as soon as I get home. The caveat is that you need to mount this middleware at the root.
Hi @pierre-elie ! If you have the time and are willing, I would love it if you could verify the fix that is currently on master
.
I went ahead and published it as 1.7.2, but I would still love to hear your assessment on the change as well :)
Hey, thanks a lot for the fast change!
It definitely fixes it, though I was wondering if there would be an advantage to use path.normalize()
(in this specific case it would "convert" //www.google.com/../
to /
)
The reason I didn't use path.normalize
is a couple reasons: 1) that's not a file system path, so it wouldn't even work right when run on Windows (path.normalize
would change all the slashes to backslashes on Windows) and 2) consider that this module was mounted at /some/path
and a user requested /some/path/..
, we would redirect the user outside of this module's control, which would probably lead to some other kind of unexpected behavior.
P.S., if you haven't done so already, please feel free to report this to https://nodesecurity.io/ , where the affected versions are all < 1.7.2
and fixed is 1.7.2
.
Right. Looks good to me then! Thanks again :)
And thank you soo much for bringing this to me attention :)! Go community!
Reported by a researcher from https://bugcrowd.com/
Hey guys, this exact bug has existed in Python's SimpleHTTPServer since 2006. Feel free to attack them for it :)
Stumbled upon a weird behavior where
serve-static
would redirect to an external website when "asked nicely".Reproduction Steps
Using
express 4.10.6
andstatic-serve 1.7.1
onnode 0.10.33
.1. Simple
app.js
2. Start server
3. Open in Firefox
http://localhost//www.google.com/%2e%2e
Request
Response
4. You get redirected to Google...
It works in Firefox, Safari and probably IE, not in Chrome. Setting
static-serve
’s optionredirect: false
seems to fix it (butredirect: true
is the default).It looks like many applications could be affected. A quick test on apps listed on http://expressjs.com/resources/applications.html does not disappoint:
send
emitsdirectory
in that case, which triggers the redirection.